A note on using an LDAP group to grant sudo access

In order for sudo to perform an LDAP lookup you might need to add the â€œsudoers_baseâ€ parameter to the ldap.conf file with a distinguished name to use as a search base. Depends on how the rest of your ldap.conf file is configured

Example: sudoers_base ou=someOU,dc=someDomain,dc=com

Also, in order for sudo to validate that you are a member of an LDAP group your UID must be associated with the group. My particular LDAP directory is Active Directory with the Microsoft Services for Unix installed. Each group has additional Unix attributes available that can contain the UIDs of it's members.

Debugging

If LDAP users or groups are not working with sudo you can add the â€œsudoers_debugâ€ parameter to the ldap.conf file with a value of â€œ2â€.

Example: sudoers_debug2

You can then use â€œsudo -lâ€ to get a better idea of why the LDAP lookups may be failing